Bug 331 - User authentication fails "NT_STATUS_NO_LOGON_SERVERS (PAM: 4)"
User authentication fails "NT_STATUS_NO_LOGON_SERVERS (PAM: 4)"
Status: CLOSED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: winbind
3.0.0preX
All Solaris
: P3 major
: none
Assigned To: Gerald (Jerry) Carter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2003-08-20 07:49 UTC by Brian King
Modified: 2005-11-14 09:24 UTC (History)
0 users

See Also:


Attachments
winbind -d10 (50.94 KB, text/plain)
2003-08-20 07:54 UTC, Brian King
no flags Details
smbd -d10 (74.39 KB, text/plain)
2003-08-20 08:01 UTC, Brian King
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Brian King 2003-08-20 07:49:37 UTC
First, I may have attributed this to the wrong "component", I'm not sure where 
this is going wrong.

I can authenticate to the UNIX share (using ADS security) from a win2K client 
for a short time after samba is restarted, but eventually (within a couple of 
hours) I start getting the windows message "there are currently no logon 
servers available to service the logon request".

I have found that a "net ads join" makes the problem go away without restarting 
samba. I am currently using the CVS code from 2003-08-18 plus the winbind patch 
from bug 282.

I will be attaching debug 10 logs shortly.
Comment 1 Brian King 2003-08-20 07:54:01 UTC
Created attachment 90 [details]
winbind -d10

Items of note in the attachment:

SNB-FTON-AD1 = the primary AD server
SNB-FTON-DBS8 = the Unix server
SNB-FTON-BMC1 = the win2k client
SNB.CA = the AD realm
MYGROUP = the workgroup line from smb.conf

"could not open handle to NETLOGON pipe"
Comment 2 Brian King 2003-08-20 08:01:46 UTC
Created attachment 91 [details]
smbd -d10

Items of note:

[2003/08/20 11:29:10, 10] lib/gencache.c:gencache_get(285)
  Cache entry with key = TDOM/SNB couldn't be found
[2003/08/20 11:29:10, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(172)
  no entry for trusted domain SNB found.

... First occurance of MYGROUP instead of SNB ...
[2003/08/20 11:29:10, 10] lib/gencache.c:gencache_get(285)
  Cache entry with key = TDOM/SNB couldn't be found
[2003/08/20 11:29:10, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(172)
  no entry for trusted domain SNB found.

...
[2003/08/20 11:29:10, 5] auth/auth.c:check_ntlm_password(268)
  check_ntlm_password: winbind authentication for user [xbking] FAILED with
erro
r NT_STATUS_NO_LOGON_SERVERS
[2003/08/20 11:29:10, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:	Authentication for user [xbking] -> [xbking] FAILED
with
 error NT_STATUS_NO_LOGON_SERVERS

...

[2003/08/20 11:29:10, 5] auth/auth_util.c:make_user_info_map(216)
  make_user_info_map: Mapping user [SNB]\[xbking] from workstation
[SNB-FTON-BMC
1]
[2003/08/20 11:29:10, 10] lib/gencache.c:gencache_get(285)
  Cache entry with key = TDOM/SNB couldn't be found
[2003/08/20 11:29:10, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(172)
  no entry for trusted domain SNB found.
...
[2003/08/20 11:29:10, 3] auth/auth.c:check_ntlm_password(216)
  check_ntlm_password:	Checking password for unmapped user
[SNB]\[xbking]@[SNB-
FTON-BMC1] with the new password interface
[2003/08/20 11:29:10, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:	mapped user is: [MYGROUP]\[xbking]@[SNB-FTON-BMC1]

...
[2003/08/20 11:29:55, 2] smbd/server.c:exit_server(558)
  Closing connections
[2003/08/20 11:29:55, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2003/08/20 11:29:55, 3] smbd/connection.c:yield_connection(76)
  yield_connection: tdb_delete for name  failed with error Record does not
exist
.
Comment 3 Brian King 2003-08-20 08:05:25 UTC
Also interesting.

smbclient -k \\\\snb-fton-dbs8\\public
(from a remote UNIX machine)

works while connecting from the win2k box with the same AD/kerberos credentials 
gives the "no logon servers" message.
Comment 4 Brian King 2003-08-20 12:03:42 UTC
More strangeness that appears to be related.
I've used 'setfacl' to allow 2 groups access to a directory/share.

bash-2.05# 
getfacl /oracle/app/oracle/admin/planet/P2900AT/files/planetexternaldata

# file: /oracle/app/oracle/admin/planet/P2900AT/files/planetexternaldata
# owner: oracle
# group: MYGROUP\planet-external-data-mt
user::rwx
group::r-x              #effective:r-x
group:MYGROUP\planet-map-admin-mt:rwx               #effective:r-x
mask:r-x
other:r-x

When I assigned the facls, it said 'SNB' where it says MYGROUP above.
After I stop and start 'nscd', a getfacl shows the correct info again:

bash-2.05# 
getfacl /oracle/app/oracle/admin/planet/P2900AT/files/planetexternaldata

# file: /oracle/app/oracle/admin/planet/P2900AT/files/planetexternaldata
# owner: oracle
# group: SNB\planet-external-data-mt
user::rwx
group::r-x              #effective:r-x
group:SNB\planet-map-admin-mt:rwx               #effective:r-x
mask:r-x
other:r-x

There seems to be some kind of 'blip' where the domain/realm switches to 
MYGROUP temporarily and this confuses nscd, and possibly other things as well. 
(just a guess)
Comment 5 Brian King 2003-09-10 05:54:32 UTC
I have not seen this re-occur since upgrading to newer CVS versions. Not sure 
exactly when it disappeared, or if it's just a very rare occurance. Close and 
I'll re-open if I ever see it again?
Comment 6 Gerald (Jerry) Carter 2003-09-10 07:16:45 UTC
assuming this is really for Samba 3.0
Comment 7 Gerald (Jerry) Carter 2005-02-07 09:05:25 UTC
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.
Comment 8 Gerald (Jerry) Carter 2005-08-24 10:15:37 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.
Comment 9 Gerald (Jerry) Carter 2005-11-14 09:24:20 UTC
database cleanup